X11 based Linux keylogger

As a challenge to the paper “Unprivileged Black-Box Detection of User-Space Keyloggers“, we were askd to write a Linux keylogger that can hide behind the tool mentioned on the paper. A friend and I came up with several ideas to hide our keylogger from being detected. We didn’t manage to include all the ideas in the keylogger code because of time constraint but the professor approved that if we had included those options, their tool wouldn’t have detected it. Before writing the ideas we came up with, let me explain how their detection method works in a nutshell.

They assumed that, by design, keyloggers capture keystrokes and save them to file. If for example, “AbCdeF” was pressed on the keyboard, somewhere, some process is writing a file with the same bytes. So they check for this correlation by sending keys to all running processes and monitoring file activities and checking the number of bytes written. If the same amount of bytes were written to file, then the process that wrote that file is a keylogger.

Our ideas to circumvent this are presented below. Obviously, these are for educational purpose only.

1. Buffering.  We have a buffer that changes its size every time it writes its content to file. Here is how it works.

Let’s say we have buf[1024]. And let the first random buffer size be 750. Then we keep buffering until 750 is reached and write it to file. Then the next buffer size would be randomly chosen. Say 900. The process continues like that.

2. If we’re on an Internet-connected computer, we directly post the logged keystrokes on a remote server. That’s it, nothing on file.

3. Being selective when we capture keys. Let’s face it, when we capture keys, usually it’s password or something related. So why would we be interested in keys that are entered on Sublime? So, we targeted web browsers: Mozilla Firefox and Google Chrome. What does it mean? Their tool sends our keylogger a key and it is ignored. Keeps logging like a boss 🙂

There were also other ideas like having a different sized output (different size than the entered keys) on file by applying cryptography but the paper says they addressed this issue very well so we didn’t bother to test it. Will post code if anybody is interested.

The C source code of X11 based Linux keylogger can be found here.

This work got us full points.



IRC Remote Controller for uTorrent in C

Few years ago, I made an IRC bot uTorrent remote controller for personal use. There was no such tool during that time (even now, I think) but I badly needed it. The ideal case where you need this tool is for example when you run your torrent client on an office/school computer and you don’t have port forwarding (or you don’t have a static private IP) and you cannot control your torrents using the remote control that ships with uTorrent but you want to control your torrents from home. Let’s say you want something downloaded and you are at home (or anywhere), so you just go to some IRC channel on some server (configurable) and talk to the bot. Current features are adding new torrent (via direct URL), pausing, stoping, deleting and viewing status. A typical command looks like the following:

!add hxxp://www.somesite.com/sometorrentfile.torrent
[1] Some.File                                       700MB   340KB/s  68%
[2] Some.Other.File                       110MB   240KB/s  24%

Where the status is shown in different color background depending on the kind (stopped, paused, active). The bot joins the channel with random nick because when connection is interrupted for few minutes and comes back online, the bot cannot join using the old nick. This is because the server thinks the nick is in use until the PING request times out for the previous bot. In order to avoid this problem, each time the bot joins a channel, it uses a random nick. If the bot is in a bad connection, we might see many bots from the same machine but only one is active. The rest will leave the channel when they don’t respond to the server request in time. If anybody is interested, I will check if it still works on the current uTorrent client without modification and post source code (or maybe binary because the IRC bot might be used maliciously) with some explanation on GitHub. I normally prefer writing things in C so this was written in pure C.


Model checking using iSpin on Windows

Ever tried to do model verification using iSpin (on Windows) on a click of a button but couldn’t manage to get it to work? I had the same problem. Apparently, there aren’t good resources that solve this problem. Follow these steps to get it to work. This has been tested to work on Widnows 7 and Windows 8.

I assume you have iSpin and SPIN installed on you system. Now let’s proceed with the necessary components. While doing the command line verification, most probably you used Cygwin’s gcc. or if you haven’t done any model verification so far, please first download and install Cygwin (note that you can also use MinGW instead of Cygwin – but this solution works for both). Then download and install gcc – C, C++ compiler package. When the installation completes, click on the Start menu, then right click on Computer and click on Properties. On the left navigation, click on Advanced system settings — a dialog will appear. On the dialog, click on Environmental Variables. Now a new dialog will open. Under the System variables section, locate the variable Path, select it and click on Edit. At the end of Variable value, add semi-colon (;) and add the path where you installed Cygwin plus Bin folder. That is, if you installed Cygwin in C:\Cygwin, then add the following


If you’re using the MinGW version of gcc rather than Cygwin, use instead the following (assuming MinGW is installed in C:\MinGW\)


and click on OK. Then click on OK on the previous dialogs.

Now, navigate to the path where you installed SPIN. Locate iSpin, then open it in a text editor (I used Notepad++). Now locate the line that reads the following:

set CC      gcc

Add the following line just under it (select the one that applies for you)

set CC      “C:/Cygwin/bin/gcc”          ; for Cygwin users

set CC      “C:/MinGW/bin/gcc”          ; for MinGW users

That’s it. Save the file and close it. Now as a test, open iSpin and then open some model. Then write the LTL properties you want to verify inside the model, save it, and reopen it. Then go to the verification tab and adjust the commands to be used as per your requirements. Then click on the Run button. After some time, you should see the result on the Verification result window (the dark windows on the right bottom).


Installing WebGoat on Windows

Recently, I had to work on WebGoat to study the possible vulnerabilities we can have on a test web application. But since I used to normally work on Windows (Linux now), installing it and having it to start to work was a bit tiresome. After a while, I managed to install everything needed. So here are the steps I followed to get it work.

You need to have Java and Tomcat installed on your system. Assuming Java will be there, you can download Tomcat from here. Install Tomcat in the root folder instead of the Program Files folder to avoid messing with the permission settings. When the installation finishes, go to the installation directory and navigate to the conf folder and open tomcat-users.xml file. Under <tomcat-users> tag, insert the following text

<role rolename=”admin-gui”/>
<role rolename=”manager-gui”/>

<role rolename=”webgoat_admin”/>
<role rolename=”webgoat_user”/>
<role rolename=”webgoat_basic”/>

<user name=”webgoat” password=”webgoat” roles=”webgoat_admin” />
<user name=”guest” password=”guest” roles=”webgoat_user” />
<user name=”basic” password=”basic” roles=”webgoat_basic” />
<user name=”admin” password=”yourpassword” roles=”admin-gui,manager-gui” />

Now download the latest version of WebGoat WAR file from here. At this time, Tomcat should be listening on http://localhost:8080 unless you modified this setting during the installation of Tomcat. Open that address on your browser. Click on Manage App and then insert the username and password you specified at the last line of the above code. Then go down to WAR file to deploy section and locate your installation file from your download folder and click on Deploy.

That’s it. Now you should be able to see the WebGoat app working by navigating to http://localhost:8080/WebGoat/attack.